Scrutinizing ‘Critical Infrastructure Risk Assessment’ to assess and reduce threats

In a detailed handbook, titled “Critical Infrastructure Risk Assessment – The Definitive Threat Identification and Threat Reduction Handbook,” Ernie Hayden offers critical infrastructure and risk assessors details on the preparation, performance, and documentation of risk assessment in a complex facility. 

A highly experienced and seasoned technical consultant, author, speaker, strategist, and thought-leader, Hayden provides assessors, business managers, operators, and planners access to his extensive experience in critical infrastructure protection and risk assessment. 

“…you really should have an innate sense of what risk includes so you can fix it later,” Ernie Hayden

At over 350 pages, the book provides readers with essential tools, examples, and processes that help in the conduct of a physical risk assessment on critical infrastructure. The handbook also serves as a practical guide to consultants, plant managers, corporate risk managers, junior and senior engineers, and university students, who are involved in managing, securing, or operating critical infrastructure environments.

With the need for risk management increasingly becoming crucial in organizations, especially critical infrastructure operators, Hayden’s book provides a grounding in the evolution of critical infrastructure directives, regulations, and laws, while walking readers through the evolution of the regulatory landscape. It also has detailed advice to every risk manager and consultant carrying out risk assessments of critical infrastructure facilities, with a pre-assessment planning phase, followed by site assessment, and concluded by reporting. The detailed process is targeted at arriving at a holistic view of the facility, with the intent to view all activities and look for ‘all hazards’ that can constitute risks to the company. 

Winner of the top book award for the year 2021 from ASIS International, Hayden’s “Critical Infrastructure Risk Assessment: The Definitive Threat Identification and Threat Reduction Handbook,” published by Rothstein Publishing in September 2020, serves as an invaluable hands-on, step-by-step guide to understanding, prioritizing, and mitigating risk, in the larger interest of working towards threat reduction.

Industrial Cyber reached out to Hayden for this interview to provide readers with key aspects of the book that would make an impact on the critical infrastructure sector. 

Industrial Cyber: The escalating threat landscape has heightened the need for risk assessment and application of appropriate mitigation strategies within the critical infrastructure sector. What are the essential tips that a risk manager or a consultant that performs risk assessments of critical infrastructure facilities can pick out from your book ‘Critical Infrastructure Risk Assessment’? 

Hayden: There are several essential tips one can pick from my book; however, let me start with the first one: When you see something at your facility, ALWAYS ask yourself a) is it a problem? If so, why? If not, why not? b) what needs to be done to mitigate this problem? c) when does this problem need to be fixed? And d) how do I identify the problem so that it is ultimately addressed, mitigated, and people are not put in harm’s way?

Key to this approach I’m mentioning is you need to have a “critical eye” and look at everything as if it were a potential problem or hazard. You need to have this “critical eye” not only for your own discipline (e.g., cyber security) but you need to have this perspective for other disciplines such as safety, mechanical and electrical engineering, control systems, etc. Of note, I often watch people do their risk assessments but only focus on the areas of their expertise and comfort level. Unfortunately, the other problems are missed or ignored – even if they are quite blatant because the observer doesn’t have the confidence, they can declare an issue outside their area of expertise as a “problem.”

Lastly, the individual needs to understand that an “assessment” is not the same as an “audit.” (Pages 110-111) Audits do not provide adequate depth for the inspection and they only give you a “pass-fail” perspective when it comes to regulations. Overall, you want to know what problems you have and not what compliance issues exist.

Industrial Cyber: What lessons can organizations learn from a cybersecurity attack on the ‘pre-assessment/planning’ stage of the organizational setup as laid down in your book? 

Hayden: The assessment team needs to realize two things: first, an attack can come at any time – even when they are preparing for the assessment, and, second, they need to ensure the assessment approach has adequate flexibility to address the tactical issue (i.e., attack) at hand. Then, they can go into the rest of the assessment plan.

Industrial Cyber: Nations-sponsored and ransomware attacks are rapidly increasing and their methodologies are evolving as we speak. How can the risk assessment techniques and remediation actions offered in your book be aligned, so as to deal with these challenges with critical infrastructure environments?

Hayden: Ransomware attacks tend to be “successful” when performed via a phishing campaign. Therefore, the assessment plan needs to examine how the facility trains staff/vendors/contractors to not click on risky links or be fooled by questionable links. For instance, does the facility include an alert to the recipient if an email is from outside the organization? If not, that would be something I’d identify in the assessment report and recommend be addressed.

Regarding nation-state attacks in general, and besides phishing attacks, the assessment should include an examination of what steps the facility is taking to prevent or block emails from questionable internet protocol addresses such as North Korea, China, Iran, etc.

Finally, the assessment team should look at the site/corporate cyber security philosophy regarding handling of any emails or text messages from outside the organization and how they can be blocked or quarantined if they contain questionable or risky URLs.

Industrial Cyber: Given the shortage of trained and skilled cybersecurity staff, especially in the OT sector, what fundamental considerations would you offer from your book to risk assessment evaluators when assessing the risk within the critical infrastructure sector? What role does ‘critical thinking’ play in the critical infrastructure risk assessment benchmark?  

Hayden: I attempted to address the “critical thinking” perspective in my response to the first question above. But, to reiterate, the assessor needs to look at everything with a “critical eye” and persistently assume that the situation or data is risky until proven otherwise. Critical thinking training would be one way to do this; however, most individuals I’ve worked with who have a “critical eye” tend to be very experienced. So, simply training a brand-new engineer on “critical thinking” is probably not easy to do or necessarily effective. Such a skill comes with time, practice, and experience.

How to begin developing a risk assessment team? I would begin by having each potential risk assessor read – no, study – my book. This would be followed by formal classroom training on the contents of the book. Then, the team should be taken on field trips by qualified senior assessors to walkdown facilities and review problems identified. This will help the new assessors better understand how to “look” at the facilities and systems and identify issues ranging from major to minor.

Industrial Cyber: What specific direction(s) from your book would you give risk assessment evaluators within the critical infrastructure sector, as they head into 2022 in a heightened cybersecurity threat environment, plagued by ransomware, supply chain, and other cybersecurity incidents?

Hayden: First, I’d ensure everyone has increased sensitivity to the issues of ransomware, supply chain vulnerabilities, etc. I’d do this through classroom or Zoom training. Additionally, offering summary one-page reviews of these issues to include a brief discussion on the issue, the symptoms, and how to raise your “critical” perspective sensitivity.

For instance, the U.S. National Institute of Standards and Technology (NIST) offers excellent documentation on these topics (e.g., supply chain). Unfortunately, these documents are very in-depth but they can offer some solid information to be digested into summary training for the assessment team members.

Similarly, take a look at the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and their resources for these and more topics. For instance, closely monitoring the CISA site can give you excellent ideas on topics to ensure the assessment teams best understand (e.g., Apache Log4j vulnerability).

Be sure to take advantage of international and regional cyber and physical security vulnerability discussions when training your assessment teams. One resource is the European Union Agency for Cybersecurity (ENISA).

As a final suggestion, if your company truly wants to be “fluent” in critical infrastructure risk assessments, it is suggested that a formal team be established with designated training staff identified to ensure adequate awareness and training is provided to the assessment team. Also, this team can take advantage of lessons learned following each assessment performed.

Industrial Cyber: What impact do such cybersecurity incidents have on the preparation, performance, and documentation of risk assessment with the complex critical infrastructure facility?

Hayden: A primary impact cybersecurity incidents have on the risk assessment process is the environment is very dynamic. Basically, each day is different, and a static environment simply does not exist. Hence, the risk assessment team needs to be alert and assume there is some new attack in progress or at least being developed.

Cybersecurity incidents are an excellent resource to assist the assessment team with their preparation and review. The cybersecurity incidents will offer ideas to the assessment team on symptoms to look for as well as vulnerabilities that are susceptible to cyberattacks (e.g., phishing attack vulnerabilities). These incidents and their history can come from a variety of resources but one suggestion is the CISA and their various resources that can include lessons learned from cyber incidents.